LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-20-2003, 05:12 PM   #1
mark2117
LQ Newbie
 
Registered: Sep 2003
Posts: 12

Rep: Reputation: 0
SSH2 and PermitRootLogin=No


With SSH1 there was a way to PermitRootLogin=No and still allow root to do some commands remotely to facilitate some system administration but not an unrestricted logon in the authorizedkeys file. I need to do this with SSH2, however, I have been unsuccessful.


I would greatly appreciate some assistance

Thanks in advance,
Mark
 
Old 10-21-2003, 05:14 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Is there any problem to login with another user & 'su -' to root user?
 
Old 10-21-2003, 06:27 PM   #3
mark2117
LQ Newbie
 
Registered: Sep 2003
Posts: 12

Original Poster
Rep: Reputation: 0
Thats exactly what we want. We want people to logon and then su for an audit trail. However, we still need the ability to push changes out after you have su'd on one server to the others with scp or sftp.

Mark
 
Old 10-22-2003, 05:11 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Ok, I'm not sure I fully understand what you are trying to achieve...
I think you want to copy changes on one machine to other machines with scp/sftp..

If someone logs in and su - to root, they can then scp/sftp from there to another machine.

Usually for maintenance, if this is a common repetitive action, it can be scripted. It depends on whether you want to use shared keys or just passwords.

I usually make a softlink to any file I have changed into a "transfer" directory, then list the softlinks with ls -l to catch the original file name, and then scp those files to other destinations in one action. (using shared keys)

This requires root privelege coz some files are only root accesible and writeable...

Last edited by peter_robb; 10-22-2003 at 05:12 AM.
 
Old 10-22-2003, 09:19 AM   #5
mark2117
LQ Newbie
 
Registered: Sep 2003
Posts: 12

Original Poster
Rep: Reputation: 0
We don't want to use keys and we don't want people to be able to logon as root. Unfortunately on my lab servers when I set "PermitRootLogin=No" root is no longer capable of moving files around, because in order for the "scp -p file root@server:/somewhere" to happen root must logon. In my Orielly book it indicates that SSH1 (even with PermitRootLogin=No) could be configured to permit root remote login access for a specific command (ie ssh -X root@server ls) but not a full logon. The forces people to logon as themselves and su to root so at least you always know "who" is on the system vs's if people can logon as root it can be very difficult to determine who did what. I could use NFS mounts and perl to move files that change but that is messy when you just need to make a simple change to a file and push it to all the servers scp is much better. Also while I can program in perl and shell languages not all of the admins can. So the desire is to keep this simple and what other sysadmins are familiar with.

Thanks,
Mark
 
Old 10-22-2003, 11:46 AM   #6
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Hi mark,

I know what you're trying to do - I've done the same thing and had the same problem. Its all very well doing things manually, but if you've got a file to push out to 200 servers, or a command to run, you can save hours of time by running it from a central point to multiple servers.

One way I got round it was to allow root login, but put some code in root's .profile that blocks logins (the code needs to check the parent process doing the login and just exit if it is ssh, telnet, rsh etc.). You have to be careful, but this can work well.

Another approach you could take is to allow the same thing with a non-root user. This is a lot less flexible (e.g. you can only copy out files where that user has the permissions to write to the directories/files) but is safer and can be used for limited purposes.

Of course, one thing to remember with the root solution is that nothing stops you running rm -r / across all your servers in one command.
 
Old 10-22-2003, 02:01 PM   #7
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Why don't you create a shell script which checks for tasks to be done by a group of machines? For instance you could use perl and it's excellent DBI to query a MySQL database for commands to be done. That way you can easily create a webmanagement area for your servers :-)
 
Old 10-22-2003, 03:02 PM   #8
mark2117
LQ Newbie
 
Registered: Sep 2003
Posts: 12

Original Poster
Rep: Reputation: 0
Hey Iainr,

I like that idea. I had not thought of that and I have done some similiar stuff with Tier 1's .profiles to limit thier access. I'll give it a shot.

Thanks!!
 
Old 10-22-2003, 03:02 PM   #9
mark2117
LQ Newbie
 
Registered: Sep 2003
Posts: 12

Original Poster
Rep: Reputation: 0
Hey Markus,

Your idea would work as well....but honestly.....I just think a couple of the other admins would not like giving up their scp ability. So I guess more for political reasons vs's techinical that can't be done........
 
Old 10-23-2003, 06:08 AM   #10
wisey
LQ Newbie
 
Registered: Oct 2003
Location: Kent, England
Distribution: RH9 and Debian 3.0r1
Posts: 11

Rep: Reputation: 0
Why do you want to force changes across the platforms? Can you not
use a DNS style change policy where servers automatically expire their
configs after 'n' days and then recollect the new versions? This would
remove the requirement for root scp at all, all configs could be stored on
a central system under a different user.

Whilst you would sacrifice immediacy, you would gain a lot more stability
and security. Pull rather than push, always easier to maintain.

--
\ /
\/\/ isey
 
Old 10-23-2003, 11:48 AM   #11
mark2117
LQ Newbie
 
Registered: Sep 2003
Posts: 12

Original Poster
Rep: Reputation: 0
True that is indeed another way of doing things and for items that change regularly we have something like that in place. However, some of the people with a valid "root" requirement are not local and will provide strong opposition to the increased security if we don't facilitate a less intrusive way for them to continue business as usual. So as always security must maintain that balance of "risk vs's requirements".

Thanks,
Mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ssh2? Suse? jakkals Linux - Networking 3 03-27-2005 04:00 PM
ssh2 using securecrt meeh Linux - Networking 0 02-28-2004 04:52 AM
SSH and PermitRootLogin Help Please imurderer Linux - Security 3 11-14-2003 06:19 PM
ssh2 on RH 7.2 GEEXTER Linux - Security 3 05-06-2003 01:51 PM
Need Help with SSH2 fenris@bu Linux - Security 2 06-01-2001 11:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration